In an effort to get to know the Fintech ecosystem and their representatives better, we asked them a few questions as a part of our series of interviews: The Innovators.
This time we caught up with Barbara Terra, Sales Director of Hacknowledge Luxembourg who told us a bit more about Hacknowledge and her collaboration with another LHoFT member UME and Security made in Luxembourg (SMILE)
1) Could you please introduce yourself, and tell us a little about Hacknowledge?
My name is Barbara Terra and I am the Sales Director of Hacknowledge Luxembourg.
I was previously living in Switzerland and working in cybersecurity solutions integration. The headquarter of Hacknowledge is in Switzerland, which explains how I ended up in Luxembourg. I am now in charge of sales for the Hacknowledge solution here, where we are implementing our first subsidiary - reproducing and adapting a model that has been successful in Switzerland.
Hacknowledge is a company dedicated to Cybersecurity, and our mission is to help companies of any size and any sector detect threats in their networks and react accordingly. We are not only a managed SIEM (Security Information and Event Management), and not only a SOC (Security Operations Center) but we are an innovative, all-in-one, managed detection and response solution, democratizing the SOC approach. SOCs are normally only affordable to large companies, or banks, not to small or medium size companies. So, we enable those companies to get a SOC (and more) with our services. We are also providing penetration test services (“pentest”) which were originally the business of Hacknowldge founder, Paul Such.
2) What is the most underestimated cybersecurity challenge for tech companies right now?
Each company builds its own security, according to the available budgets and resources.
The challenge we see in most companies, no matter the size or the sector, is the maintenance of this security at a good level over time, because security demands constant maintenance, correction and adaptability to an ever-changing environment. So, we usually end up finding companies that are using expensive and powerful solutions which are underused or misused because of this lack of maintenance. Furthermore, those companies often do not have a full overview and centralization of the cybersecurity systems, so they are drastically lacking visibility over time.
3) Being part of the LHoFT enabled you to touch base with another LHoFT member, UME, who have developed an automated framework for the due diligence of fund distributors. Having conducted an infrastructure security audit for them, can you describe the differences between auditing a startup vs. a more established company? What are the pain points?
The major obvious differences are twofold:
1) smaller companies may have smaller budgets to allocate to security even if they are aware it is an important issue;
2) they are developing new innovative technologies which request alternative and innovative security checks and solutions. Penetration testing is often seen as overkill at this scale. So, we need to be realistic. If we want to conduct a real security audit then we need to reduce the budget - setting the cursor where we can see the most in the shortest time. Additionally, security is often not the first priority of new companies when they build their solutions, platforms or applications. They may not apply the best practices in terms of security, so checking the security of their base is very important, because this is an environment that is dedicated to grow so the better the bases are, the healthier it will grow.
Of course, the smaller the environment the quicker the test, which is why we recommend that young companies run a pentest on their environment at an early stage. It can be also a requirement from investors to assure the seriousness of the business and the commitment to their customers. This is a vicious circle because sometimes the company does not have the budget, but has to run such a test to reassure potential customers. This is where we thought of a dedicated offer to startups and SMEs.
Today we have a concrete example, as we worked with UME, another LHoFT member, on a security audit following a direct request from one of their prospects. The LHoFT was the perfect environment to develop this offering, as we have the possibility to work directly with UME, talking even on an “hourly basis” as they are our office neighbour. We are also a young company here in Luxembourg, so we know the constraints applicable to the other companies. We understand their needs and we want to help them build on a strong and healthy environment.
Laurent Denayer, CEO of UME commented: “Having the possibility to work with a company at the LHoFT enabled us to develop a collaborative and efficient approach that was beneficial for both Hacknowledge and ourselves. Hacknowledge was able to customise their methodology to our own needs and technology. As a result, we have now a more robust IT environment. Our clients trust even more our product.”
4) You are currently building a cybersecurity and pentesting offering with Security Made in Luxembourg dedicated to startups and SMEs. How did the partnership begin, and can you tell us more about the service?
When we arrived in Luxembourg, we got in touch with many actors including Security Made in Luxembourg (SMILE) to introduce ourselves as a new actor in the cyber-ecosystem, and asked how we could actively collaborate to this ecosystem and help them promote cybersecurity to Luxembourg companies. The conclusion was that we are in an environment with startups and SMEs, we are ourselves a young company and we have, based on the expertise of the team in Switzerland, very experienced pentesters. Hacknowledge founder Paul Such previously founded and directed for 15 years the pentest leader in Switzerland: SCRT, and he created the swiss hacking contest Insomni’hack in Geneva. This was clearly the perfect momentum for us to build a cybersecurity offer dedicated to startups and SMEs here in Luxembourg.
The idea is to develop a pentest offer dedicated to smaller environments. We wanted to standardize the pentest we are offering with different modules available in a limited way. We then deliver an executive report that can be shared with an investor or a customer and provide remediation advice on findings. This enables the company to know where it stands in term of security and to remediate to unsafe practices where applicable. Of course, we cannot be judge and party, so we do not apply the remediation ourselves, but we propose to conduct validation tests after the remediation has been applied.
Pascal Steichen, CEO from Security made in Luxembourg (SMILE) added: “From the perspective of SECURITYMADEIN.LU, building a partnership with Hacknowledge in order to develop a new way of helping start-ups fits with a key element of our strategy. As the platform supporting the security ecosystem in Luxembourg, SECURITYMADEIN.LU realised that start-ups were given the choice between either nothing or a full-blown, and most likely too expensive, certification. Developing a new approach to make security testing less daunting allows start-ups to improve their cybersecurity posture without mobilizing an excessive amount of resources.”
5) « To beat a hacker, you need to think like a hacker » Do you think this is a sensible mindset?
Yes, the types of attacks between hackers and “pentesters” are really similar, using the same tools, in the same mindset but of course there are differences.
On a pentest side:
- It is always a planned exercise: customers know exactly when it happens.
- We agree on the perimeter to audit beforehand, so it is not as wild as the hacker world.
- Some types of attacks can be excluded: e.g. no DDOS (distributed denial-of-service attack), no trojan, no social engineering…
- Unlike hackers, the time spent on a pentest is limited. A penetration test of X days, will represent what a hacker trying to attack an organization during X could find.
Luxembourg is not a country that is completely safe from cybersecurity attacks, but in terms of budget allocated per company and awareness around this question, Luxembourg is, I believe, very well positioned - like Switzerland - and that is also why Hacknowledge decided to come to Luxembourg. We have noticed lately that even at the board level there is a real understanding of cybersecurity threats, anticipation and solution.